The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Careful where you point your new headset, Google Glass owners: Like a small child, some graphic images have been known to corrupt the young device's impressionable brain.

Researchers at the security firm Lookout Mobile say they developed an attack last spring that could compromise Google's device when the user merely took a photo that captured a malicious QR code, the square graphic labels often used to link smartphone users to websites and by Google Glass to set up the headset's Wifi connections. Lookout's researchers, who reported the bug to Google and have already helped the company issue a fix for the flaw, found that they could craft malformed QR codes that when photographed crashed Glass or connected the headset to a rogue Wifi hotspot capable of stripping away the encryption on the device's communications or directing it to a malicious website designed to take full control of the device.

"Google has set up the device so that Glass scans every photo you take for something interesting," says Lookout researcher Marc Rogers. "While that's exciting, the fact that Glass can parse photographs opened up a vulnerability. By understanding and reverse engineering the QR codes, we were able to create malicious ones that would silently reconfigure the device."

Rogers imagines a scenario where someone wearing a T-shirt showing a maliciously crafted QR code could "photobomb" a user, inserting himself in the back of the scene and causing the headset to scan the attacker's code. Rogers even printed sample malicious QR code stickers that could be planted on top of innocuous QR codes on advertisements or other signs to trick unsuspecting Glass users.

Lookout reported the QR code issue to Google in mid-May, and it was fixed with an automatic software update two weeks later, according to Rogers. Glass now interprets QR codes only in certain modes such as when the user is choosing a Wifi network, rather than by default. "We take security very seriously at Glass," a Google Glass spokesperson writes to me in an email, adding that one of the goals of its beta-testing "Explorer" program for Glass is to "discover vulnerabilities that we can research and work to address before we launch it more broadly."

Despite the fact that Glass's vulnerability to rogue QR codes was patched before it could be exploited outside of a lab, Glass may yet become a tempting target for actual criminal attacks as the headsets are more widely adopted. In April, Android developer Jay Freeman created the first "jailbreak" for Glass that allows any unauthorized software to be installed on the device. He also warned that Glass's ability to watch a user's entire life meant that compromising the device could allow serious breaches of privacy. "Nothing is safe once your Glass has been hacked," Freeman wrote.“A bugged Glass doesn’t just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do. The only thing it doesn’t know are your thoughts.”

Here's hoping that when Glass is released to more than a few early adopters, it takes more than a mere QR code to turn it into a 24/7 spying device.